Bilinear Pairing-based Hybrid Mixnet with Anonymity Revocation
Andrea Huszti and Zita Kov
´
acs
Faculty of Informatics, University of Debrecen, Kassai street 26., Debrecen, Hungary
Keywords:
Bilinear Pairings, Mix Network, Anonymity Revocation, Eligibility.
Abstract:
A hybrid mix is presented providing anonymity and eligibility verification of senders, the possibility of anony-
mous reply and anonymity revocation, that are usually required in practice. Furthermore the proposed mix is
capable of processing messages with arbitrarily length. In the process of design we applied bilinear pairings
due to their good properties. We compared the time and space complexity of Zhong’s mix (Zhong, 2009) to
our one, we achieved better efficiency. In the security evaluation we prove, that our mix is correct, provides
anonymity and eligibility verification for senders.
1 INTRODUCTION AND
PRELIMINARIES
In recent decades, the widespread use of public chan-
nels has led to the development of network-based
services, where it is necessary to manage the criti-
cal, confidential or personal information. Since these
channels can be easily eavesdropped, you need to pay
attention to the transmitted information. Several cryp-
tographic primitives are developed to ensure the pro-
tection of confidential information from unauthorized
access. In some cases it may be important that the
message can not be linked to the sender (for example
in electronic voting systems, the voter and the vote
can not be linked).
In 1981, Chaum (Chaum, 1981) proposed a cryp-
tographic construction called mix network which can
be used to hide senders’ identity. In case of mixnets
determining the identity of a sender, even if all mes-
sages transferred are given is a hard problem. Each
mix server receives messages originating from multi-
ple senders, permutes them, performs cryptographic
operations (decryption, encryption or re-encryption)
and sends them to the next server.
This design was the basis for many applications,
especially in the field of electronic voting (Sako and
Kilian, 1995; Michels and Horster, 1996; Neff, 2001;
Jakobsson et al., 2002). Some further applications
of mix networks: anonymous email (Parekh, 1996;
Gulcu and Tsudik, 1996; Danezis et al., 2003), anony-
mous telecommunications (Pfitzmann et al., 1991;
Jerichow et al., 1998), anonymous internet commu-
nications (Goldschlag et al., 1996; Syverson et al.,
1997a) and location privacy (Federrath et al., 1996;
Syverson et al., 1997b; Golle et al., 2002; Huang
et al., 2006).
We propose a decryption/encryption-based mix,
applying bilinear pairings. Let us review the def-
inition of the admissible bilinear map (Boneh and
Franklin, 2001).
Definition 1.1. Let G
1
and G
2
be two groups of order
q for some large prime q. A map e : G
1
× G
1
→ G
2
is an admissible bilinear map if satisfies the following
properties:
1. Bilinear: We say that a map e : G
1
× G
1
→ G
2
is
bilinear if e(aP, bQ) = e(P, Q)
ab
for all P, Q ∈ G
1
and all a, b ∈ Z.
2. Non-degenerate: The map does not send all pairs
in G
1
× G
1
to the identity in G
2
. Since G
1
, G
2
are
groups of prime order, if P is a generator of G
1
then e(P, P) is a generator of G
2
.
3. Computable: There is an efficient algorithm to
compute e(P, Q) for any P, Q ∈ G
1
.
We should mention that bilinearity can be restated
to for all P, Q, R ∈ G
1
e(P+Q, R) = e(P, R)e(Q, R) and
e(P, Q + R) = e(P, Q)e(P, R). We can find G
1
and G
2
where these properties hold. The Weil and Tate pair-
ings prove the existence of such constructions. Typi-
cally, G
1
is an elliptic-curve group and G
2
is a finite
field.
Usually the security of cryptographic protocols
applying bilinear maps is based on the problem of Bi-
linear Diffie-Hellman Problem.
Definition 1.2. (Bilinear Diffie-Hellman Problem
(BDHP) in G
1
)
238
Huszti A. and Kovacs Z..
Bilinear Pairing-based Hybrid Mixnet with Anonymity Revocation.
DOI: 10.5220/0005273002380245
In Proceedings of the 1st International Conference on Information Systems Security and Privacy (ICISSP-2015), pages 238-245
ISBN: 978-989-758-081-9
Copyright
c
2015 SCITEPRESS (Science and Technology Publications, Lda.)
Let e : G
1
× G
1
→ G
2
be a bilinear map on
(G
1
, G
2
). The problem is for every a, b, c ∈ Z
∗
q
, given
P, aP, bP, cP, computing e(P, P)
abc
.
BDHP is closely related to the Computational
Diffie-Hellman Problem. For simplicity we give the
definition in G
1
.
Definition 1.3. (Computational Diffie-Hellman Prob-
lem (CDHP) in G
1
)
The problem is for every a, b ∈ Z
∗
q
, given P, aP, bP,
computing abP.
Hardness of the BDHP implies the hardness of the
CDHP in both G
1
and G
2
. Note, that the Decisional
Diffie-Hellman Problem (DDHP) in G
1
can be effi-
ciently solved.
Definition 1.4. (Decisional Diffie-Hellman Problem
(DDHP) in G
1
)
The problem is for every a, b, c ∈ Z
∗
q
, given P, aP, bP
and cP, deciding whether cP = abP.
By computing e(P, cP) = e(P, P)
c
and e(aP, bP) =
e(P, P)
ab
, one can decide whether cP = abP holds,
since e(P, P)
ab
= e(P, P)
c
if and only if abP = cP. G
1
is a Gap Diffie-Hellman (GDH) group, if the DDHP
is easy and the CDHP is hard in G
1
.
Assuming that BDHP is hard, a one-round three-
party key agreement protocol is constructed (Joux,
2000; Verheul, 2001). There are three participants,
each possesses a secret value a, b, c ∈ Z
∗
q
, and pub-
lishes aP, bP, cP, respectively. With the given e : G
1
×
G
1
→ G
2
bilinear map the common secret key K can
be easily calculated by K = e(bP, cP)
a
= e(aP, cP)
b
=
e(aP, bP)
c
.
2 RELATED WORK
Chaum’s proposal called forth several designs of
anonymous communication channels. One can read
a nice survey by Sampigethaya in (Sampigethaya and
Poovendran, 2006).
A hybrid mix is capable of handling arbitrar-
ily long input messages. There is a hybrid mix
proposed by Ohkubo and Abe (Ohkubo and Abe,
2000), that is based on the intractability of the De-
cision Diffie-Hellman problem and realizes length-
flexibility, length-invariance and provable security (in
terms of anonymity).
Subsequenlty proposed mix network schemes,
known as public-key mixes, have focused on achiev-
ing robustness, typically through heavy reliance on
public-key operations (Jakobsson, 1998; Markus and
Ari, 1999; Desmedt and Kurosawa, 2000; Mitomo
and Kurosawa, 2000). Jakobsson and Juels presented
an optimally robust hybrid mix network (Jakobsson
and Juels, 2001). They used MAC keys for providing
the robustness and in their paper they described these
properties of correctness, privacy, robustness and in-
distinguishability (Jakobsson and Juels, 2001).
In 2009, Zhong proposed an identity-based mix
network (Zhong, 2009), which is based on bilinear
maps. His construction is a re-encryption mix, that
is suitable only for sending short messages, since it
proceeds only asymmetric encryptions.
There are solutions that provide anonymous re-
ply. In (Chaum, 1981) Chaum proposed untrace-
able return addresses which allow the receiver to send
a reply message without knowing senders’ identity.
Another example is the Mixminion (Danezis et al.,
2003) which is an anonymous remailer protocol and
it supports Single-Use Reply Blocks (or SURBs) to
allow anonymous recipients. In these schemes the
sender recursively encrypts the return address block
and sends it in the body of the message. These en-
cryptions are necessary, even if the receiver does not
intend to reply.
3 OUR HYBRID MIX
A hybrid mix uses both asymmetric and symmetric
operations. It applies asymmetric cryptographic so-
lutions for the key exchange and symmetric ones for
encrypting plaintexts. Therefore a hybrid mix effi-
ciently handles long messages as well as short ones.
We designed a hybrid mix that is based on admissable
bilinear maps due to their good properties. As far as
we know, our construction is the first hybrid mixnet,
which is based on bilinear maps.
Usually, in case of anonymous communication the
receiver needs to know whether the sender is allowed
to send a message, i.e. is eligible for it. One can
think of an e-exam or an e-voting scheme. In both
cases there are requirements for participating. In case
of e-exams we should verify whether the students ac-
complished all the prerequisites of an exam, in case
of e-voting whether the voters are citizens and have a
clean record etc. should be checked. Usually eligibil-
ity is not provided for mix networks built in, cryptog-
raphers have to solve this problem.
There are situations, when the receiver needs to
send messages back to the anonymous sender in a way
that the sender remains anonymous. For example, in
case of e-tender systems, many times the anonymous
applicants have to make up supplements. These cases
a mix network should provide anonymous reply. In
our construction cryptographic operations are needed
only if the receiver sends messages back, hence we
increased efficiency.
BilinearPairing-basedHybridMixnetwithAnonymityRevocation
239
In order to prevent illegal activities anonymity re-
vocation is needed. There are circumstances when
the identity of the anonymous sender should be re-
trieved. We provide eligibility and anonymity revo-
cation with the help of a registry authority and the
mixnet. We take advantages of bilinear maps, since
they provide great services for three party protocols.
For anonymity revocation besides the encrypted iden-
tities, we also use commitment values. By verifying
these values a receiver makes sure, that after the dead-
line senders’ anonymity can be revoked. These val-
ues are based on user-specific, registry-specific and
mixnet-specific elements. Bilinear maps make pos-
sible for the three participants to verify (share) these
values easily.
Considering practical aspects of a mixnet, it is
usually used in a situation, where besides sender’s
anonymity, eligibility verification, possibility to re-
ply to an anonymous sender and anonymity revoca-
tion are also required. We have designed a mix net-
work, that provides all these requirements built in.
3.1 Preparation
We use the following notation for the participants. We
denote senders by S
i
, where i = 1, . . . , n, the publicly
known receiver by R, the registry authority by R A,
mix servers by M
i
, where i = 1, . . . , N (the last mix
server is the receiver, i.e. R=M
N
) and the bulletin
board by ββ. Our proposed protocol can be built on
any G
1
, G
2
groups, where G
1
is a Gap Diffie-Hellman
group and G
2
is a multiplicative group. We assume,
that Gap Diffie-Hellman problem is hard.
1. R A generates system parameters: groups G
1
, G
2
,
bilinear map e : G
2
1
→ G
2
, generator element P
of G
1
, hash functions H
1
: {0, 1}
∗
→ G
1
and H
2
:
G
2
→ {0, 1}
l
. All parameters are made public.
2. Furthermore R A creates a random secret value
s ∈ Z
∗
q
and outputs sP public key.
3. Each M
i
generates random, secret, composite
value m
i
and outputs
i
∏
k=1
m
k
P.
Finally R chooses random, secret m
N
and calcu-
lates mP =
∏
N
k=1
m
k
P. This value is used for gen-
erating commitment values.
4. Each M
i
chooses random, secret values x
i
∈ Z
∗
q
,
then calculates and publishes PK
M
i
= x
i
∏
i
j=1
m
j
P
and
∏
i
j=1
x
j
m
j
P values.
5. R also chooses x
N
∈ Z
∗
q
and publishes PK
R
=
x
N
∏
N
j=1
m
j
P = x
N
mP and
∏
N
j=1
x
j
m
j
P = xmP
where x is never calculated explicitly. R also out-
puts x
N
P public key for providing anonymous re-
ply.
3.2 Registration
We consider the situation, when there are several
senders and only one receiver. In practise, often there
is only one receiver, one can think of an e-voting, e-
tender or an e-survey scheme. Senders send messages
anonymously to a (not anonymous) receiver. During
registration R A verifies the eligibility of each sender
and blindly authorizes their messages. We applied
blind short signatures (Boldyreva, 2003) with a small
modification.
1. Let us denote the message by msg, that sender S
i
would like to send to receiver R. S
i
generates an
u
(i)
∈ Z
∗
q
random value.
2. S
i
authenticates himself to R A and asks for au-
thorization by sending his identification number
with bit length l and H
1
(msg) + u
(i)
P on a secret,
authenticated channel.
3. R A verifies whether S
i
is eligible for sending
messages to R. If S
i
is eligible, then R A blindly
signs H
1
(msg) + u
(i)
P and sends s(H
1
(msg) +
u
(i)
P) to S
i
. R A also calculates a commitment
value µ
i
for verification purposes and ε
i
, that is
the sender’s identity number encrypted.
µ
i
= e(mP, H
1
(msg) + u
(i)
P)
s
ε
i
= S
i
⊗ H
2
(e(xmP, H
1
(msg) + u
(i)
P)
s
)
4. S
i
calculates sH
1
(msg) with the knowledge
of u
(i)
sP and generates msg||sH
1
(msg), where
sH
1
(msg) is R A’s signature on msg. S
i
also veri-
fies e(sH
1
(msg), P) = e(sP, H
1
(msg)).
R A makes (µ
i
, ε
i
) pairs public in a permuted order
on ββ.
3.3 Message Submission and Mixing
S
i
generates a secret, random value: a
s
i
∈ Z
∗
q
that is
necessary for the reply and calculates the following
plaintext:
p = msg||sH
1
(msg)||a
s
i
P
S
i
generates the following symmetric encryption
keys:
K
(i)
j
= H
2
(e(PK
M
j
, sP)
u
(i)
), where j = 1, . . . , N − 1
K
(i)
R
= H
2
(e(PK
R
, sP)
u
(i)
)
ICISSP2015-1stInternationalConferenceonInformationSystemsSecurityandPrivacy
240
encrypts plaintext p:
M
(i)
1
= Enc
K
(i)
1
(Enc
K
(i)
2
(. . . Enc
K
(i)
R
(p))),
randomly chooses u
(i)
1
, u
(i)
2
such that u
(i)
= u
(i)
1
· u
(i)
2
and sends v
(i)
1
= u
(i)
1
P||w
(i)
1
= u
(i)
2
sP||M
(i)
1
to M
1
.
Mix server M
j
receives three values concatenated
v
(i)
j
||w
(i)
j
||M
(i)
j
for each S
i
. Values v
(i)
j
and w
(i)
j
are nec-
essary for symmetric key generation and the third one
is the encrypted message. Each mix collects all mes-
sages from each S
i
, where i = 1, . . . , n, hence receives:
v
(i)
j
=
j−1
∏
k=1
a
(i)
k
· u
(i)
1
P where j = 2, . . . , N − 1
w
(i)
j
=
j−1
∏
k=1
b
(i)
k
· u
(i)
2
sP where j = 2, . . . , N − 1.
M
j
calculates v
(i)
j+1
= a
(i)
j
· v
(i)
j
, w
(i)
j+1
= b
(i)
j
· w
(i)
j
,
where a
(i)
j
, b
(i)
j
∈ Z
∗
q
randomly chosen, such that
m
j
= a
(i)
j
· b
(i)
j
, then gets randomized symmetric keys
K
(i)
j
= H
2
(e(v
(i)
j+1
, w
(i)
j+1
)
x
j
). M
j
decrypts cipher-
texts M
(i)
j+1
= Dec
K
(i)
j
(M
(i)
j
), then permutes the list of
triplets v
(i)
j+1
||w
(i)
j+1
||M
(i)
j+1
, where i = 1, . . . , n and out-
puts them to mix M
j+1
.
3.4 Receiving the Message
R receives v
(i)
N
||w
(i)
N
||M
(i)
N
from each S
i
, calcu-
lates K
(i)
R
= H
2
(e(v
(i)
N
, m
N
· w
(i)
N
)
x
N
) and de-
crypts p = Dec
K
(i)
R
(M
(i)
N
). We repeat that
p = msg||sH
1
(msg)||a
s
i
P. R examines, whether
the message p came from an eligible sender by
verifying the signature of R A. Hence R confirms
whether:
e(sH
1
(msg), P) = e(sP, H
1
(msg))
R also checks whether the commitment value
µ
i
= e(v
(i)
N
, m
N
· w
(i)
N
) · e(
sH
1
(msg), mP)
exists on ββ. If R finds µ
i
, then S
i
sent the correct
uP and H
1
(msg) + u
(i)
P to the first mix and R A.
That means the sender’s encrypted identity can be de-
crypted by the mix servers and R after the deadline.
For eligible senders R stores:
µ
i
||msg||sH
1
(msg)||a
s
i
P.
We will use µ
i
for anonymity revocation and a
s
i
P to
reply to the anonymous sender.
3.5 Anonymous Reply
In case receiver R is willing to send a mes-
sage t back to the anonymous sender S
i
, then
chooses a random value r
s
i
∈ Z
∗
q
and calculates
d
K
(i)
R
= H
2
(e(r
s
i
a
s
i
P, r
−1
s
i
sP)
x
N
) symmetric key, and
encrypts message t:
d
M
(i)
1
= Enc
d
K
(i)
R
(t). R sends
r
s
i
a
s
i
P||r
−1
s
i
sP||
d
M
(i)
1
for each sender to M
1
. Each mix
server M
j
after receiving
c
v
(i)
j
||
d
w
(i)
j
||
d
M
(i)
j
, where
c
v
(i)
j
=
j−1
∏
k=1
a
(i)
k
· r
s
i
a
s
i
P,
d
w
(i)
j
=
j−1
∏
k=1
b
(i)
k
· r
−1
s
i
sP.
calculates
d
v
(i)
j+1
= a
(i)
j
·
c
v
(i)
j
,
d
w
(i)
j+1
= b
(i)
j
·
d
w
(i)
j
d
K
(i)
j
= H
2
(e(
d
v
(i)
j+1
,
d
w
(i)
j+1
)
x
j
),
[
M
(i)
j+1
= Enc
d
K
(i)
j
(
d
M
(i)
j
).
Values a
(i)
j
and b
(i)
j
are chosen randomly such that
m
j
= a
(i)
j
· b
(i)
j
, and sends
d
v
(i)
j+1
||
d
w
(i)
j+1
||
[
M
(i)
j+1
to M
j+1
.
Server M
N−1
outputs all the calculated values with
H
1
(
[
K
(i)
N−1
) to ββ.
S
i
calculates keys
d
K
(i)
j
= H
2
(e(PK
M
j
, sP)
a
s
i
), where j = 1, . . . , N − 1
d
K
(i)
R
= H
2
(e(x
N
P, sP)
a
s
i
).
and looks for H
1
(
[
K
(i)
N−1
) on ββ, accesses all data and
decrypts the proper
d
M
(i)
N
with the keys above. S
i
gets
t = Dec
d
K
(i)
R
(Dec
d
K
(i)
1
(. . . Dec
[
K
(i)
N−1
(
[
M
(i)
N
))) plaintext.
3.6 Anonymity Revocation
There are several applications, when after a certain
deadline the identity of the anonymous sender should
be revealed. We could think of either an e-tender or
an e-exam scheme. In general, anonymity revocation
should be provided even if the sender is not willing to
reveal his identity (e.g. an examinee does not want to
get a bad grade).
Our solution determines senders’ real identity
with the help of the mixnet. Receiver R sends
value µ
x
N
i
to the first mix. Each server M
j
power
the received value to x
j
and sends it to the next
server. Finally, µ
x
i
is given. After H
2
(µ
x
i
) =
BilinearPairing-basedHybridMixnetwithAnonymityRevocation
241
H
2
(e(xmP, H
1
(msg) + u
(i)
P)
s
) is calculated, identity
number S
i
is received with the help of ε
i
.
We should mention, that if the sender is willing
to participate in the revocation process, then the real
identity can be determined without the mix servers in
an easier and lower-cost way. If the sender provides
the secret value u
(i)
, R A can retrieve the sender’s
identity by calculating H
2
(e(xmP, H
1
(msg) + u
(i)
P)
s
.
4 SECURITY EVALUATION
In this section we show that our mix provides security
requirements of correctness, anonymity and eligibil-
ity.
4.1 Correctness
First we prove that our scheme is correct concerning
the mix process, the anonymous reply and also the
process of anonymity revocation.
Definition 4.1. We call our mixnet correct, if for ev-
ery plaintext calculated by the receiver there is a cor-
responding ciphertext in the input list of the mixnet.
This means that every plaintext is a multiple decryp-
tion of a ciphertext, and no two plaintexts are the mul-
tiple decryptions of the same ciphertext.
The following theorem states that our mixnet is cor-
rect.
Theorem 4.1. The proposed mix protocol is operat-
ing correctly.
Proof. Each sender S
i
(where i = 1, . . . , n) sends a
triplet (v
(i)
1
= u
(i)
1
P||w
(i)
1
= u
(i)
2
sP||M
(i)
1
) to the first mix
server M
1
. The third value M
(i)
1
is an N-times en-
cryption of the plaintext p which contains the mes-
sage msg of S
i
. M
1
receives n triplets and M
j
(where
j = 2, . . . , N − 1) receives a permutation of modified
triplets from M
j−1
. The sender calculates the sym-
metric keys for secure communication with all mix
server M
j
:
K
(i)
j
= H
2
(e(PK
M
j
, sP)
u
(i)
) = H
2
(e(x
j
j
∏
k=1
m
k
P, sP)
u
(i)
)
where j = 1, . . . , N − 1 and the mix server M
J
(where
J = 1, . . . , N − 1) calculates this symmetric key:
K
(i)
J
= H
2
(e(
J
∏
k=1
a
(i)
k
u
(i)
1
P,
J
∏
k=1
b
(i)
k
u
(i)
2
sP)
x
J
)
Because of the bilinear property of mapping e the cor-
responding keys are the same if and only if j = J.
(Note that m
k
= a
(i)
k
· b
(i)
k
and u
(i)
= u
(i)
1
· u
(i)
2
.) The
receiver R receives a set of the triplets from M
N−1
:
(v
σ(i)
N
||w
σ(i)
N
||M
σ(i)
N
)
where σ(i) is the permutation of i = 1, . . . , n and gets:
(v
σ(i)
N
||m
N
· w
σ(i)
N
||M
σ(i)
N
)
The receiver in order to get the plaintexts does the
following calculations for all M
( j)
N
:
p
0
j
= Dec
K
( j)
R
(M
( j)
N
) = Dec
K
( j)
R
(Enc
K
(i)
R
(p
i
))
where j = 1, . . . , n, i = σ( j) and
K
( j)
R
= H
2
(e(v
( j)
N
, m
N
· w
( j)
N
)
x
N
)
= H
2
(e(
N−1
∏
k=1
a
( j)
k
u
(i)
1
P, m
N
N−1
∏
k=1
b
( j)
k
u
(i)
2
sP)
x
N
)
and the symmetric key for R calculated by the sender
S
i
:
K
(i)
R
= H
2
(e(PK
R
, sP)
u
) = H
2
(e(x
N
mP, sP)
u
(i)
)
Thus using the bilinear property of mapping e the
receiver able to get a plaintext if and only if K
( j)
R
=
K
(i)
R
and then the plaintext of p
0
j
is p
i
.
The anonymous reply works similarly to the
message submission. In this case the sender is
R and the anonymous receiver is the sender S
i
who sent the message msg that is stored with
a
s
i
P. In order to send the reply message S
i
cal-
culates H
1
(
[
K
(i)
N−1
) = H
1
(H
2
(e(PK
M
N−1
, sP)
a
s
i
)) =
H
1
(H
2
(e(x
N−1
∏
N−1
j=1
m
j
P, sP)
a
s
i
)) and searches this
on ββ. The list of messages contains values
c
v
(i)
N
=
N−1
∏
k=1
a
(i)
k
r
s
i
a
s
i
P,
d
w
(i)
N
=
N−1
∏
k=1
b
(i)
k
r
−1
s
i
sP,
d
M
(i)
N
= Enc
[
K
(i)
N−1
(. . . (Enc
d
K
(i)
1
(Enc
d
K
(i)
R
(t))))
where
d
K
(i)
j
= H
2
(e(
∏
j
k=1
a
(i)
k
r
s
i
a
s
i
P,
∏
j
k=1
b
(i)
k
r
−1
s
i
sP)
x
j
)
calculated by mix server M
j
. Due to the bi-
linear property of e these keys are the same
keys as the sender S
i
calculates for M
j
:
H
2
(e(PK
M
j
, sP)
a
s
i
) = H
2
(e(x
j
∏
j
k=1
m
k
P, sP)
a
s
i
).
Furthermore R calculates the symmetric key:
d
K
R
1
= H
2
(e(r
s
i
a
s
i
P, r
−1
s
i
sP)
x
N
)
ICISSP2015-1stInternationalConferenceonInformationSystemsSecurityandPrivacy
242
and S
i
calculates the symmetric key:
d
K
R
2
= H
2
(e(x
N
P, sP)
a
s
i
)
Mapping e has bilinear property so
d
K
R
1
= H
2
(e(r
s
i
a
s
i
P, r
−1
s
i
sP)
x
N
) = H
2
(e(x
N
P, sP)
a
s
i
)
=
d
K
R
2
holds.
Let us note that from the anonymous participants
only S
i
is able to calculate the necessary keys, since
the secret value a
s
i
is need.
4.2 Anonymity
We consider static adversary in a semi-honest model.
A model is called semi-honest, if the dishonest users
follow the protocol and also keep a record of all in-
termediate results. An adversary is static, if corrupted
players are specified at the beginning of the protocol,
they stay corrupted during the whole process and no
new ones stand in with them. The adversary observes
all public information and possesses all attacked play-
ers’ secret information (i.e. keys, permutation).
The anonymity property of our system says that
an adversary who has access to corrupt players’ se-
cret data and observes all the public information of
the protocol including views of the registry and mix
servers, input ciphertexts and the shuffled list of out-
put messages, cannot tell which message was sent by
which sender. We also assume, that there is at least
one mix server and two senders that are not corrupted
by the adversary, i.e. the secret permutation and secret
keys are not revealed to the adversary, furthermore the
registry and the receiver do not collude.
In order to give the proof, we assume, that the follow-
ing problem in (G
1
, G
2
, e) is hard.
Definition 4.2. For every r, r
1
, r
2
, r
3
, r
4
∈ Z
∗
q
given P, rP ∈ G
1
and (V
0
, W
0
), (V
1
, W
1
),
(r
1
V
b
, r
2
W
b
),(r
3
V
¯
b
, r
4
W
¯
b
), where r
1
r
2
= r
3
r
4
= r,
the problem is to output b ∈ {0, 1}.
Let us review the Matching Find-Guess Problem
(MFGP) (Fujisaki and Okamoto, 1999).
Definition 4.3. Matching Find-Guess (MFG) Prob-
lem (Fujisaki and Okamoto, 1999)
For every plaintexts x
0
, x
1
and for every symmetric
keys K
0
, K
1
given (Enc
K
0
(x
0
), Enc
K
1
(x
1
), x
b
, x
b
), the
problem is to output b ∈ {0, 1}.
Studying the proposed mix network, one can see,
that the identity of a sender cannot be retrieved, since
the attacker cannot connect messages of the input lists
of M
i
and M
i+1
. because the attacker is not able to
solve the MFGP, or the BDHP or the problem given
in Definition 4.2.
An adversary is able to connect messages of the
input lists, if he can calculate the secret symmetric
key, i.e. he can calculate K
(i)
j
= H
2
(e(PK
M
j
, sP)
u
(i)
) =
H
2
(e(u
(i)
1
P, u
(i)
2
sP)
x
i
∏
i
j=1
m
j
), where j = 1, . . . , N.
The adversary has access to the public key PK
M
i
=
x
i
∏
i
j=1
m
j
P and the messages
v
(i)
1
= u
(i)
1
P,
w
(i)
1
= u
(i)
2
sP,
that are sent by S
i
. Since the BDHP is hard,
the adversary is not able to calculate K
(i)
j
=
H
2
(e(u
(i)
1
P, u
(i)
2
sP)
x
i
∏
i
j=1
m
j
).
An adversary can connect messages of the input
lists, if he is able to find a relationship between M
(i)
j
and M
(i+1)
j
. Since the MFGP is hard, this is not pos-
sible.
The third way to match messages is to connect the
pairs (v
(i)
j
, w
(i)
j
) and (v
(i)
j+1
, w
(i)
j+1
). Since the problem
given in Definition 4.2 is hard, the adversary is not
successful.
4.3 Eligibility
We assume a threat model, where senders during reg-
istration and message submission are in a controlled
room, i.e. corrupt, eligible senders are not allowed
to send messages (e.g. msg, s(H1(msg)), u
(i)
) to the
adversary. This case, the adversary should choose
values (v
(i)
1
, w
(i)
1
, M
(i)
1
) such that, after the mix pro-
cess the receiver could find µ
i
= e(v
(i)
N
, m
N
· w
(i)
N
) ·
e(sH
1
(msg), mP) = e(mP, H
1
(msg) + u
(i)
P)
s
on ββ.
Assuming that short signature generation without the
knowledge of the secret key is hard, the attacker can-
not calculate the correct triplet, hence cannot submit
messages to the mix network to be successful.
5 PROPERTIES
We also examined the time and space complexity of
our solution and compared it to the identity-based
scheme proposed by Zhong (Zhong, 2009). His
scheme is also based on bilinear pairings and imple-
ments a mix network, as ours. We denoted the opera-
tions as follows: additions in G
1
(ADD), scalar mul-
tiplications of elements in G
1
(SMU), multiplication
in G
2
(MUL), bilinear maps (BMP) and divisions in
G
2
(DIV). First we compare the number of that oper-
ations which provided by both systems: submitting,
mixing and receiving messages.
BilinearPairing-basedHybridMixnetwithAnonymityRevocation
243
The following tables contain the number of the calcu-
lations of the participants.
Sender (#n) SMU MUL BMP ADD
IB mix 2 1 1 1
Our mix 3 0 N 0
Mix servers (#N − 1) ADD MUL SMU BMP
IB mix n n 2n 2n
Our mix 0 0 3n n
Receiver ADD MUL SMU BMP DIV
IB Mix n (n+N-1) 2n 2n n
Our mix 0 0 2n n 0
In our system the sender performs more calcula-
tions, since symmetric keys are generated for encrypt-
ing arbitrary long messages, that is not provided in
(Zhong, 2009). Nevertheless, both the receiver’s and
the mix calculations are more efficient in our case.
We should mention, that in case of cascade mixnets
the first server starts its operation only if it receives
enough number of messages. Basically, the efficiency
of a mix depends on the computations made by the
servers and the receivers.
Compare to Zhong’s system we provide additional
and optional services: anonymous reply, eligibility
and revocation. The process and the cost of the re-
ply are similar to the message submission.
In our solution the sender’s eligibility is provided
by the signature of the registration authority R A and
the value µ
i
on ββ. The extra cost of eligibility verifi-
cation is for the senders: 1 SMU, 2 BMP, 1 ADD and
1 ADDINV (additive inverse in G
1
) calculations, for
the registration authority: n SMU and 2n BMP cal-
culations and for the receiver: 4n BMP calculations,
n MUL and n SMU, (where n is the number of the
senders thus the number of the messages).
We provide anonymity revocation, as well. If the
senders are not cooperative, then the receiver R and
the mix servers together retrieve the senders’ identi-
ties, that costs n EXP (exponentiation in G
2
) calcula-
tions for the receiver and for each server.
The overall space complexity of the communica-
tion is the following:
κ bits security params
IB mix (3N − 2)κn
Our mix 3Nκn
It is shown that our mix is capable of handling ar-
bitrary long messages in an efficient way with 2κn
extra space.
6 CONCLUSION AND FUTURE
WORK
In this paper we proposed a bilinear pairing-based hy-
brid mix and its security and efficiency evaluation.
We proved, that the participants could send messages
in an anonymous way and if it is necessary the real
identity can be revoked after a certain deadline by the
collaboration of the receiver and the mix servers.
Our mix also provides the possibility of eligibil-
ity verification, that is an important service in case of
anonymous communication.
Furthermore, our mix network allows anonymous
reply, in a way that the sender’s identity still remains
secret.
Finally, this is a hybrid mix, making possible
of transmitting messages with arbitrary length. We
could think of either an e-voting application where the
messages are usually short, or an e-exam application
where the messages could be short or long, as well.
In the future we plan to give a formal security eval-
uation for anonymity and eligibility and examine how
our hybrid mix can be applied for one the most com-
plicated applications, for an e-exam.
ACKNOWLEDGEMENT
The publication was supported by the T
´
AMOP-
4.2.2.C-11/1/KONV-2012-0001 project. The project
has been supported by the European Union, co-
financed by the European Social Fund. The author is
also supported by the Hungarian National Foundation
for Scientific Research Grant No. NK 104208.
REFERENCES
Boldyreva, A. (2003). Threshold signatures, multisigna-
tures and blind signatures based on the gap-diffie-
hellman-group signature scheme. In Proceedings of
the 6th International Workshop on Theory and Prac-
tice in Public Key Cryptography: Public Key Cryp-
tography, PKC ’03, pages 31–46, London, UK, UK.
Springer-Verlag.
Boneh, D. and Franklin, M. K. (2001). Identity-based en-
cryption from the weil pairing. In Proceedings of the
21st Annual International Cryptology Conference on
Advances in Cryptology, CRYPTO ’01, pages 213–
229, London, UK, UK. Springer-Verlag.
Chaum, D. L. (1981). Untraceable electronic mail, return
addresses, and digital pseudonyms. Commun. ACM,
24(2):84–90.
Danezis, G., Dingledine, R., Hopwood, D., and Mathewson,
N. (2003). Mixminion: Design of a type iii anony-
ICISSP2015-1stInternationalConferenceonInformationSystemsSecurityandPrivacy
244
mous remailer protocol. In In Proceedings of the 2003
IEEE Symposium on Security and Privacy, pages 2–
15.
Desmedt, Y. and Kurosawa, K. (2000). How to break a
practical mix and design a new one.
Federrath, H., Jerichow, A., and Pfitzmann, A. (1996).
Mixes in mobile communication systems: Location
management with privacy. In Proceedings of the First
International Workshop on Information Hiding, pages
121–135, London, UK, UK. Springer-Verlag.
Fujisaki, E. and Okamoto, T. (1999). Secure integration
of asymmetric and symmetric encryption schemes. In
Proceedings of the 19th Annual International Cryptol-
ogy Conference on Advances in Cryptology, CRYPTO
’99, pages 537–554, London, UK, UK. Springer-
Verlag.
Goldschlag, D. M., Reed, M. G., and Syverson, P. F. (1996).
Hiding routing information. In in Information Hiding,
pages 137–150. Springer-Verlag.
Golle, P., Jakobsson, M., Juels, A., and Syverson, P.
(2002). Universal re-encryption for mixnets. In
IN PROCEEDINGS OF THE 2004 RSA CONFER-
ENCE, CRYPTOGRAPHERS TRACK, pages 163–
178. Springer-Verlag.
Gulcu, C. and Tsudik, G. (1996). Mixing email with babel.
In Symposium on Network and Distributed System Se-
curity, pages 2–16.
Huang, L., Yamane, H., Matsuura, K., and Sezaki, K.
(2006). Silent cascade: Enhancing location privacy
without communication qos degradation. In Clark,
J. A., Paige, R. F., Polack, F., and Brooke, P. J., edi-
tors, SPC, volume 3934 of Lecture Notes in Computer
Science, pages 165–180. Springer.
Jakobsson, M. (1998). A practical mix. In Advances in
Cryptology - EUROCRYPT ’98, International Confer-
ence on the Theory and Application of Cryptographic
Techniques, Espoo, Finland, May 31 - June 4, 1998,
Proceeding, pages 448–461.
Jakobsson, M. and Juels, A. (2001). An optimally robust
hybrid mix network. PODC’01.
Jakobsson, M., Juels, A., and Rivest, R. L. (2002). Making
mix nets robust for electronic voting by randomized
partial checking. In Proceedings of the 11th USENIX
Security Symposium, pages 339–353, Berkeley, CA,
USA. USENIX Association.
Jerichow, A., Mller, J., Pfitzmann, A., Pfitzmann, B., and
Waidner, M. (1998). Real-time mixes: a bandwidth-
efficient anonymity protocol. IEEE Journal on Se-
lected Areas in Communications, pages 495–509.
Joux, A. (2000). A one round protocol for tripartite diffie-
hellman. In Proceedings of the 4th International Sym-
posium on Algorithmic Number Theory, ANTS-IV,
pages 385–394, London, UK, UK. Springer-Verlag.
Markus, J. and Ari, J. (1999). Millimix: Mixing in small
batches. Technical report.
Michels, M. and Horster, P. (1996). Some remarks on a
receipt-free and universally verifiable mix-type voting
scheme. In Kim, K. and Matsumoto, T., editors, ASI-
ACRYPT, volume 1163 of Lecture Notes in Computer
Science, pages 125–132. Springer.
Mitomo, M. and Kurosawa, K. (2000). Attack for flash
mix. In In Advances in Cryptology - ASIACRYPT
2000, LNCS, pages 192–204. Springer-Verlag.
Neff, C. A. (2001). A verifiable secret shuffle and its ap-
plication to e-voting. In Proceedings of the 8th ACM
Conference on Computer and Communications Secu-
rity, CCS ’01, pages 116–125, New York, NY, USA.
ACM.
Ohkubo, M. and Abe, M. (2000). A length-invariant hybrid
mix. In Okamoto, T., editor, ASIACRYPT, volume
1976 of Lecture Notes in Computer Science, pages
178–191. Springer.
Parekh, S. (1996). Prospects for remailers. First Monday,
1(2).
Pfitzmann, A., Pfitzmann, B., and Waidner, M. (1991).
Isdn-mixes: Untraceable communication with very
small bandwidth overhead. In In Proceedings of the
GI/ITG Conference on Communication in Distributed
Systems, pages 451–463. Springer-Verlag.
Sako, K. and Kilian, J. (1995). Receipt-free mix-type voting
scheme: A practical solution to the implementation of
a voting booth. In Proceedings of the 14th Annual In-
ternational Conference on Theory and Application of
Cryptographic Techniques, EUROCRYPT’95, pages
393–403, Berlin, Heidelberg. Springer-Verlag.
Sampigethaya, K. and Poovendran, R. (2006). A survey on
mix networks and their secure applications. Proceed-
ings of the IEEE, 94(12):2142–2181.
Syverson, P. F., Goldschlag, D. M., and Reed, M. G.
(1997a). Anonymous connections and onion routing.
In Proceedings of the 1997 IEEE Symposium on Secu-
rity and Privacy, SP ’97, pages 44–, Washington, DC,
USA. IEEE Computer Society.
Syverson, P. F., Goldschlag, D. M., and Reed, M. G.
(1997b). Protocols using anonymous connections:
Mobile applications. In in Security Protocols:
Fifth International Workshop, pages 13–23. Springer-
Verlag.
Verheul, E. R. (2001). Evidence that xtr is more secure
than supersingular elliptic curve cryptosystems. In J.
Cryptology, pages 195–210. Springer-Verlag.
Zhong, S. (2009). Identity-based mix: Anonymous commu-
nications without public key certificates. Computers
& Electrical Engineering, (5):705–711.
BilinearPairing-basedHybridMixnetwithAnonymityRevocation
245
